1. Field
The invention relates generally to the use of trust association interceptors, and more specifically to a universal trust association interceptor that substitutes a fundamental identification in a request for a protocol identification.
2. Description of the Related Art
Application servers, such as IBM's WebSphere® Application Server, authenticate and authorize user requests for services and applications. When a user has been authenticated by an authentication system other than the application server hosting the requested service, the user's authentication may be communicated to the application server hosting the requested service rather than requiring the user to re-authenticate. This process is known as identity assertion and may be performed by a Trust Association Interceptor (TAI).
TAIs are components that determine a user's identification for an incoming request and assign the identification to user principals of the application server. A TAI propagates the user principal to the application server through the use of credentials that are used by downstream applications hosted by the application server.
TAIs generally imply that the application server works in conjunction with a reverse proxy security server, such as IBM's Tivoli Access Manager WebSEAL. A reverse proxy security server (RPSS) may act as a front-end authentication server while the applications hosted by the application server may apply their own authorization policies to a user's credentials.
Requests utilizing different protocols, such as the hypertext transfer protocol (HTTP) and the session initiation protocol (SIP), handle identification information in different ways. As a result, incoming requests that utilize different protocols may be issued different credentials, even though the same user generated the requests that utilize different protocols. A method for handling these issues comprises using additional separate components to track all the different credentials corresponding to a user, but using additional components increases system complexity. Another method for handling these issues comprises using duplicate sets of data that correspond to each request's type and protocol. Using additional components and duplicate sets of data is costly and inefficient.
Therefore, a need exists for a simple way for a single TAI to handle multiple identifications internally without a complicated architecture.